Previous All Posts Next

CMMC 2.0 Complete Guide: Requirements, Levels & Timeline (2026)

Posted: March 5, 2026 to Compliance.

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's mandatory cybersecurity framework that requires all defense contractors to verify their cybersecurity practices before they can win or maintain DoD contracts. CMMC 2.0 has three levels: Level 1 requires 17 basic cyber hygiene practices for Federal Contract Information (FCI), Level 2 requires 110 practices aligned to NIST SP 800-171 for Controlled Unclassified Information (CUI), and Level 3 requires 134 practices based on NIST SP 800-172 for the most sensitive programs. The final CMMC rule (32 CFR Part 170) took effect on December 16, 2024, and assessments began in Q1 2025. Every company in the Defense Industrial Base that handles FCI or CUI must achieve the appropriate CMMC level or lose eligibility for DoD contracts.

As someone who has guided over 200 defense contractors through NIST 800-171 and CMMC readiness over the past eight years, I can tell you that the organizations succeeding with CMMC are the ones that started early and treated it as a security program rather than a checkbox exercise. This guide covers everything you need to know about CMMC 2.0 in 2026, from the three certification levels to the assessment process, timeline, and realistic cost expectations.

What Is CMMC 2.0

The Cybersecurity Maturity Model Certification is a unified cybersecurity standard created by the Department of Defense to protect sensitive defense information across the entire supply chain. Before CMMC, defense contractors were expected to self-attest to NIST SP 800-171 compliance through DFARS clause 252.204-7012. The problem was that self-attestation had no verification mechanism. A 2019 DoD Inspector General report found that contractors routinely claimed compliance without implementing required controls. Adversaries, particularly nation-state actors from China and Russia, exploited these gaps to steal critical defense data including F-35 fighter jet designs, submarine warfare systems, and missile defense technology.

CMMC 2.0 solves this by requiring independent third-party verification for organizations handling CUI. The framework was first announced in January 2020 as CMMC 1.0 with five levels. In November 2021, the DoD streamlined it to three levels and renamed it CMMC 2.0. The final rule was published on October 15, 2024, and became effective December 16, 2024.

Key differences between CMMC 1.0 and CMMC 2.0 include the reduction from five levels to three, elimination of CMMC-unique practices that went beyond NIST standards, allowance of Plans of Action and Milestones (POA&Ms) for certain controls, introduction of a phased rollout rather than immediate enforcement across all contracts, and alignment directly with existing NIST SP 800-171 and 800-172 standards.

The Three CMMC 2.0 Levels Explained

CMMC 2.0 establishes three maturity levels, each building on the one below it. The level required for your organization depends on the type of information you handle in performance of DoD contracts.

Level 1: Foundational (17 Practices)

CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is information provided by or generated for the government under contract that is not intended for public release. Level 1 requires implementation of 17 practices drawn from FAR clause 52.204-21, covering basic cyber hygiene.

The 17 Level 1 practices include requirements such as limiting system access to authorized users, controlling the flow of FCI on systems, verifying and controlling connections to external systems, controlling information posted on public systems, identifying and authenticating users, sanitizing or destroy media before disposal, screening personnel with system access, limiting physical access, escorting visitors, maintaining audit logs, protecting communications transmissions, establishing and maintaining system security, identifying and remediating vulnerabilities, performing malware scanning, updating malicious code protections, and monitoring organizational systems.

Assessment method: Annual self-assessment. Results must be entered into the Supplier Performance Risk System (SPRS). No third-party certification is required.

Typical timeline to achieve: 1 to 3 months for organizations with basic IT security already in place.

Level 2: Advanced (110 Practices)

CMMC Level 2 is the most significant level for the majority of defense contractors. It applies to organizations that process, store, or transmit Controlled Unclassified Information and requires implementation of all 110 security requirements from NIST SP 800-171 Revision 2. These 110 practices are organized across 14 domains and represent a comprehensive cybersecurity program.

Level 2 is divided into two assessment paths based on the criticality of the CUI involved:

Level 2 with Third-Party Assessment (C3PAO): Required for contracts involving CUI that the DoD designates as critical or high-value. A CMMC Third-Party Assessment Organization (C3PAO) conducts the assessment. Certification is valid for three years with an annual affirmation requirement.

Level 2 with Self-Assessment: Permitted for contracts involving CUI that is not designated as critical. The organization conducts its own assessment against NIST SP 800-171 and submits results to SPRS. This path still requires rigorous documentation including a complete System Security Plan (SSP) and any applicable POA&Ms.

Typical timeline to achieve: 6 to 18 months depending on starting posture, organizational complexity, and scope of CUI environment.

Level 3: Expert (134 Practices)

CMMC Level 3 is reserved for the highest-priority programs and applies to a small subset of the defense industrial base. It includes all 110 NIST SP 800-171 practices plus 24 additional practices selected from NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI). Level 3 focuses on protecting CUI against advanced persistent threats (APTs) and includes requirements for penetration testing, security operations centers, and advanced threat hunting capabilities.

Assessment method: Government-led assessment conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Typical timeline to achieve: 18 to 36 months. Most organizations at this level have dedicated cybersecurity teams and significant existing security infrastructure.

The 14 CMMC Domains

CMMC Level 2 organizes its 110 practices across 14 security domains. Understanding these domains is essential for scoping your compliance program and allocating resources appropriately.

1. Access Control (AC) — 22 practices. Restricting system and data access to authorized users, processes, and devices. This is the largest domain and includes requirements for account management, separation of duties, least privilege, remote access, and wireless access controls.

2. Awareness and Training (AT) — 3 practices. Ensuring personnel are aware of security risks and trained on policies and procedures. Includes role-based training for privileged users and system administrators.

3. Audit and Accountability (AU) — 9 practices. Creating, protecting, and reviewing system audit logs. Requirements cover audit event logging, audit record content, audit log capacity, audit review and reporting, and time synchronization.

4. Configuration Management (CM) — 9 practices. Establishing and maintaining baseline configurations for systems and controlling changes. Includes configuration change control, security impact analysis, and restricting unauthorized software.

5. Identification and Authentication (IA) — 11 practices. Verifying the identity of users, processes, and devices. Covers multi-factor authentication, password complexity, authenticator management, and replay-resistant authentication.

6. Incident Response (IR) — 3 practices. Establishing incident handling capabilities. Requires incident response plans, incident tracking, and reporting incidents to appropriate authorities.

7. Maintenance (MA) — 6 practices. Performing timely maintenance on organizational systems. Addresses controlled maintenance, maintenance tools, and nonlocal maintenance requirements.

8. Media Protection (MP) — 9 practices. Protecting both digital and physical media containing CUI. Covers media access, media marking, media storage, media transport, media sanitization, and CUI handling on portable storage devices.

9. Personnel Security (PS) — 2 practices. Screening individuals before granting access and ensuring access is revoked promptly upon personnel actions like termination or transfer.

10. Physical Protection (PE) — 6 practices. Limiting physical access to systems, equipment, and operating environments. Addresses facility access, visitor management, and physical access monitoring.

11. Risk Assessment (RA) — 3 practices. Identifying and evaluating risk to organizational operations, assets, and individuals. Requires periodic risk assessments and vulnerability scanning.

12. Security Assessment (CA) — 4 practices. Periodically assessing security controls, developing and implementing plans of action, and monitoring security controls on an ongoing basis.

13. System and Communications Protection (SC) — 16 practices. Monitoring and protecting communications at system boundaries. Covers CUI encryption in transit and at rest, architectural designs, network segmentation, and session termination.

14. System and Information Integrity (SI) — 7 practices. Identifying, reporting, and correcting system flaws in a timely manner. Includes malicious code protection, security alert monitoring, and system monitoring.

Who Needs CMMC Certification

CMMC applies to every organization in the Defense Industrial Base (DIB) supply chain, not just prime contractors. If your company meets any of these criteria, you need CMMC certification:

You hold a DoD contract with DFARS clause 252.204-7012. This clause has been in contracts since 2017 and requires NIST SP 800-171 compliance. CMMC adds verification to this existing requirement.

You are a subcontractor to a DoD prime contractor. CUI flows down through the supply chain. If a prime contractor shares CUI with you, you need the same CMMC level they do for that information.

You handle FCI under a government contract. Even if you do not handle CUI, any organization with a federal contract containing FAR clause 52.204-21 needs at least CMMC Level 1.

You plan to bid on future DoD contracts. The phased rollout means CMMC requirements are appearing in new solicitations throughout 2025 and 2026. Organizations that wait until they see CMMC in a solicitation will not have time to achieve compliance before the bid deadline.

It is estimated that over 220,000 companies in the DIB will ultimately need some level of CMMC certification. About 80,000 of these will need Level 2, and a few hundred will need Level 3.

The CMMC Assessment Process

The assessment process differs by level. Here is what to expect at each stage.

Level 1 Self-Assessment: Your organization reviews its implementation of all 17 practices, documents the results, and has a senior company official sign an affirmation statement. Results are entered into SPRS. This must be repeated annually.

Level 2 Self-Assessment: Similar to Level 1 but far more rigorous, covering all 110 NIST SP 800-171 practices. Requires a complete System Security Plan documenting how each practice is implemented, evidence artifacts for each practice, SPRS score calculation (110 minus weighted point values for unimplemented practices), and senior official affirmation.

Level 2 C3PAO Assessment: This is the most common assessment path for CUI-handling organizations. The process involves selecting a C3PAO from the Cyber AB marketplace, scheduling a pre-assessment consultation to define scope and logistics, the C3PAO review team (typically 2 to 4 assessors) conducts the assessment over 3 to 5 days on-site, assessors review documentation and interview personnel for all 110 practices, each practice receives a MET, NOT MET, or NOT APPLICABLE determination, if deficiencies are found you may submit a POA&M for certain practices, the C3PAO submits results to the CMMC eMASS system, and the Cyber AB issues your certification upon successful completion.

Level 3 Government Assessment: DIBCAC conducts a comprehensive government-led assessment that builds on your Level 2 certification. The scope includes the 24 additional NIST SP 800-172 practices plus a deeper evaluation of your overall cybersecurity maturity.

CMMC Timeline and Phased Rollout

The DoD is implementing CMMC through a four-phase rollout tied to the 48 CFR rulemaking process:

Phase 1 (Beginning Q1 2025): The DoD began including CMMC Level 1 self-assessment and Level 2 self-assessment requirements in new contracts. This phase is active now.

Phase 2 (Beginning Q1 2026): Level 2 C3PAO third-party assessments begin appearing as requirements in applicable contracts. This is the current phase as of this writing. Organizations that have not begun their CMMC journey are running out of time.

Phase 3 (Beginning Q1 2027): Level 3 government-led assessments are included in applicable contracts. Level 2 C3PAO requirements expand to all contracts involving critical CUI.

Phase 4 (Beginning Q4 2027): Full implementation. CMMC requirements at the appropriate level are included in all applicable DoD contracts. The option period for any existing contract will require CMMC as a condition of exercising the option.

Critical deadline awareness: Although Phase 4 full implementation is not until late 2027, contracting officers have discretion to include CMMC requirements in solicitations earlier than the phase schedule. We are already seeing Level 2 C3PAO requirements in 2026 solicitations. The time to prepare is now, not when you see the requirement in an RFP.

CMMC Compliance Costs

CMMC compliance costs vary significantly based on your organization's size, existing security maturity, and the scope of your CUI environment. The following estimates are based on our experience helping over 200 contractors through the process.

Level 1 estimated costs:

  • Internal time for self-assessment and documentation: $2,000 to $5,000
  • Remediation of gaps (if any): $1,000 to $10,000
  • Consulting assistance (optional): $3,000 to $8,000
  • Total Level 1 range: $3,000 to $20,000

Level 2 estimated costs for a 50-person company:

  • Gap assessment and roadmap: $15,000 to $30,000
  • Technology remediation (SIEM, MFA, encryption, backup, endpoint): $50,000 to $150,000
  • Policy and documentation development: $10,000 to $25,000
  • Managed security services (ongoing): $3,000 to $8,000 per month
  • C3PAO assessment fee: $30,000 to $120,000
  • Total Level 2 first-year range: $120,000 to $350,000
  • Ongoing annual costs: $40,000 to $100,000

Level 3 estimated costs: Level 3 costs are highly variable but typically range from $500,000 to $2 million or more for initial implementation, with annual ongoing costs of $200,000 to $500,000. Most Level 3 organizations have dedicated cybersecurity staff and existing security operations infrastructure.

Cost reduction strategies: The single most effective way to reduce CMMC costs is to minimize the scope of your CUI environment. Rather than trying to secure your entire network to CMMC Level 2 standards, create a defined CUI enclave, a segmented portion of your network where CUI is processed and stored. This approach can reduce compliance costs by 40 to 60 percent.

SPRS Score and Self-Assessment

The Supplier Performance Risk System (SPRS) score is a numeric representation of your NIST SP 800-171 implementation status. A perfect score is 110, meaning all 110 practices are fully implemented. Each unimplemented practice reduces your score by 1, 3, or 5 points depending on the DoD's weighting of that practice.

The minimum acceptable SPRS score is -203 (if no practices are implemented), but contracting officers can set minimum score thresholds for individual solicitations. In practice, organizations with scores below 70 face significant challenges winning new contracts.

To calculate your SPRS score, review each of the 110 NIST SP 800-171 practices, determine whether each practice is fully implemented, partially implemented, or not implemented, sum the weighted point values for all practices that are not fully implemented, and subtract that sum from 110.

Your SPRS score must be current (within the last three years for C3PAO assessments, annually for self-assessments) and entered into the SPRS system. A senior company official must sign an affirmation statement attesting to the accuracy of the score.

Plans of Action and Milestones

CMMC 2.0 allows Plans of Action and Milestones (POA&Ms) for certain practices that are not fully implemented at the time of assessment. This is a significant change from CMMC 1.0, which required 100 percent implementation with no exceptions.

POA&M rules under CMMC 2.0 include the following: POA&Ms are not permitted for Level 1. For Level 2, POA&Ms are allowed but with strict limitations. Your SPRS score must be at least 80 percent of the maximum (88 out of 110) even with the POA&M items. Certain high-weighted practices cannot be placed on POA&M. All POA&M items must be closed within 180 days of the assessment. Failure to close POA&M items within 180 days results in loss of certification.

POA&Ms are a tool for managing the final stretch of compliance, not a way to defer significant work. Organizations that enter a C3PAO assessment planning to POA&M their way through major gaps will likely fail.

CUI Enclaves and Scoping

Scoping is arguably the most important strategic decision in your CMMC compliance journey. The scope of your assessment determines which systems, networks, and personnel are subject to the 110 Level 2 practices.

A CUI enclave is a defined boundary within your network where CUI is processed, stored, and transmitted. Everything inside the enclave must meet CMMC requirements. Everything outside it does not, though systems that connect to the enclave may be classified as Security Protection Assets that require a subset of controls.

CMMC scoping categories include:

  • CUI Assets: Systems that process, store, or transmit CUI. Subject to all 110 practices.
  • Security Protection Assets: Systems that provide security functions for the CUI environment (firewalls, SIEM, domain controllers). Subject to relevant practices.
  • Contractor Risk Managed Assets: Systems that can but do not process CUI, and are not security protection assets. The contractor determines and documents the risk.
  • Specialized Assets: IoT devices, OT systems, test equipment, and government-furnished equipment that may have limited ability to implement all practices.
  • Out of Scope Assets: Systems completely separated from CUI processing with no connection to the CUI enclave.

Effective scoping strategies include using a dedicated virtual desktop infrastructure (VDI) or cloud enclave for CUI processing, implementing network segmentation to isolate the CUI environment, using a managed CUI enclave service from a provider like Petronella Technology Group, and minimizing the number of personnel with CUI access.

Common CMMC Compliance Mistakes

After working with hundreds of defense contractors, these are the mistakes I see most frequently:

1. Waiting for the requirement to appear in a contract. By the time CMMC is in your RFP, you do not have time to achieve compliance. Level 2 takes 6 to 18 months for most organizations. Start now.

2. Confusing IT management with cybersecurity compliance. Having a managed IT provider does not mean you are CMMC compliant. Most general IT providers do not understand NIST SP 800-171 controls, cannot produce the documentation required for assessment, and have not configured your environment to meet specific practice requirements.

3. Underestimating documentation requirements. CMMC assessors verify compliance through documentation review and personnel interviews, not just technical testing. You need a complete System Security Plan, policies for all 14 domains, procedures for key processes, and evidence artifacts for every practice. Organizations that focus exclusively on technology and ignore documentation fail their assessments.

4. Trying to secure the entire network. As discussed in the scoping section, trying to make your entire corporate network CMMC Level 2 compliant is unnecessarily expensive. Define a CUI enclave and minimize scope.

5. Choosing the wrong consulting partner. The CMMC ecosystem includes many new entrants with limited experience. Look for consultants with verifiable experience helping organizations achieve NIST SP 800-171 compliance, knowledge of the specific technologies and architectures used in CUI enclaves, the ability to provide both technical implementation and documentation support, and references from organizations that have passed C3PAO assessments.

How to Get Started with CMMC

Whether you are starting from scratch or have an existing NIST SP 800-171 program, follow this roadmap:

Step 1: Determine your required CMMC level. Review your current and anticipated DoD contracts. If you handle CUI, you need Level 2. If you handle only FCI, Level 1 is sufficient. Your contracting officer or prime contractor can clarify what level of information you handle.

Step 2: Conduct a gap assessment. Evaluate your current implementation status against all applicable practices. For Level 2, this means assessing all 110 NIST SP 800-171 practices and calculating your SPRS score. A professional gap assessment from a firm like Petronella Technology Group provides a detailed roadmap with prioritized remediation steps.

Step 3: Define your CUI scope and enclave. Identify where CUI enters, resides, and exits your organization. Design or refine your enclave architecture to minimize the systems subject to CMMC controls.

Step 4: Remediate gaps. Implement technical controls, develop required documentation, and train personnel. Prioritize high-weighted practices and those that cannot be placed on POA&M.

Step 5: Conduct an internal readiness review. Before engaging a C3PAO, perform a thorough internal assessment or hire a consultant to conduct a mock assessment. This identifies remaining gaps while there is still time to fix them.

Step 6: Engage a C3PAO. Select a C3PAO from the Cyber AB marketplace, schedule your assessment, and achieve your certification.

Frequently Asked Questions

What is the difference between CMMC and NIST SP 800-171?

NIST SP 800-171 is the set of 110 security requirements that CMMC Level 2 is based on. CMMC adds a certification and verification framework on top of NIST SP 800-171. Before CMMC, contractors self-attested to NIST SP 800-171 compliance. CMMC requires either a rigorous self-assessment or third-party verification that those practices are actually implemented.

How long does CMMC certification last?

CMMC Level 2 certification from a C3PAO assessment is valid for three years. However, the certified organization must submit an annual affirmation confirming continued compliance. Level 1 and Level 2 self-assessments must be renewed annually.

Can I use a cloud environment for CMMC compliance?

Yes, and for many organizations this is the most cost-effective approach. Cloud-based CUI enclaves using platforms like Microsoft GCC High or AWS GovCloud can significantly reduce the number of on-premise controls you need to implement. However, the cloud provider must meet FedRAMP Moderate or equivalent requirements, and you remain responsible for your configuration and data within the cloud environment.

What happens if I fail a CMMC assessment?

If a C3PAO assessment identifies deficiencies, you may be able to address some through POA&Ms (if your score is at least 88 and the practices are POA&M-eligible). For more significant failures, you will need to remediate and schedule a new assessment. There is no formal penalty for failing beyond the cost of remediation and reassessment, but you will not be able to win contracts requiring that CMMC level until you pass.

Do subcontractors need CMMC certification?

Yes. If CUI flows down to a subcontractor, that subcontractor must achieve the same CMMC level as the prime contractor for that information. Prime contractors are responsible for ensuring their supply chain meets CMMC requirements, and many are now requiring proof of CMMC compliance or a credible compliance roadmap before awarding subcontracts.

How much does a CMMC C3PAO assessment cost?

C3PAO assessment fees typically range from $30,000 to $120,000 depending on the size and complexity of the organization, the number of locations, and the scope of the CUI environment. Smaller organizations with a well-defined enclave can expect costs toward the lower end. Large organizations with multiple locations and complex architectures will be at the higher end.

What is the Cyber AB and how does it relate to CMMC?

The Cyber AB (formerly the CMMC Accreditation Body) is the sole authorized accreditation body for CMMC. It accredits C3PAOs, certifies individual assessors, and oversees the quality of the assessment ecosystem. The Cyber AB operates under contract to the DoD and maintains the marketplace where organizations can find accredited C3PAOs.

Can my IT provider also be my CMMC assessor?

No. CMMC has strict conflict-of-interest rules. A C3PAO cannot assess an organization that it has provided consulting or implementation services to within the preceding three years. This separation ensures assessment independence. Your consulting partner helps you prepare, and a separate C3PAO conducts the assessment.

Petronella Technology Group has helped over 200 defense contractors prepare for and achieve CMMC compliance. With 23 years of cybersecurity experience and deep expertise in NIST SP 800-171, we provide gap assessments, CUI enclave design, technology implementation, documentation development, and assessment preparation support. Contact us for a free CMMC readiness consultation to understand where your organization stands and what it will take to achieve certification.

About the Author: Craig Petronella is the CEO of Petronella Technology Group, a cybersecurity and compliance firm based in Raleigh, NC. With over 30 years of experience in IT and cybersecurity, Craig has authored 15 books on security topics and has guided hundreds of organizations through CMMC, HIPAA, and other compliance frameworks.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

HIPAA Compliance Checklist for NC Healthcare Practices HIPAA Compliance Checklist for NC Healthcare Practices CMMC Compliance Checklist 2026: Complete Requirements Guide CMMC Compliance Checklist 2026: Complete Requirements Guide HIPAA Compliance Requirements: Complete 2026 Guide for Healthcare Compliance Management Software: Top Tools Compared for 2026 Compliance Management Software: Top Tools Compared for 2026
Craig Petronella
Craig Petronella
CEO & Founder, Petronella Technology Group | CMMC Registered Practitioner

Craig Petronella is a cybersecurity expert with over 24 years of experience protecting businesses from cyber threats. As founder of Petronella Technology Group, he has helped over 2,500 organizations strengthen their security posture, achieve compliance, and respond to incidents.

LinkedIn Twitter About
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now